Re: [PATCH] is_selinux_enabled returns -1 on error, account for this.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/18/2014 01:02 PM, Scott Sullivan wrote:
Per the documentation, is_selinux_enabled() returns -1 on error. Account for this. Previously when -1 was being returned the condition would still be true. I was noticing this because on my system that has selinux disabled I was getting this in the libvirt.log every 5 seconds:
error : virIdentityGetSystem:173 : Unable to lookup SELinux process context: Invalid argument
With this patch applied, I no longer get these messages every 5 seconds. I am submitting this in case its deemed useful for inclusion. Anyone have any comments on this change? This is a patch off current master. 


From 23e0780db43ebd3ea90710750639df901c261674 Mon Sep 17 00:00:00 2001
From: Scott Sullivan <ssullivan@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2014 12:55:50 -0400
Subject: [PATCH] is_selinux_enabled returns -1 on error, account for this. 

---
 src/security/security_selinux.c |    2 +-
 src/util/viridentity.c          |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c 
index 02c7496..5f46bef 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -784,7 +784,7 @@ error:
 static int
 virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
 {
-    if (!is_selinux_enabled())
+    if (is_selinux_enabled() <= 0)
         return SECURITY_DRIVER_DISABLE;

     if (virtDriver && STREQ(virtDriver, "LXC")) {
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 351fdd7..05e7568 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -169,7 +169,7 @@ virIdentityPtr virIdentityGetSystem(void)
         goto cleanup;

 #if WITH_SELINUX
-    if (is_selinux_enabled()) {
+    if (is_selinux_enabled() > 0) {
         if (getcon(&con) < 0) {
             virReportSystemError(errno, "%s",
_("Unable to lookup SELinux process context")); 

ping?
Looking for a ACK/NACK on this from a committer. In the case of an error condition when calling is_selinux_enabled() it seems safer to assume seLinux isn't enabled than to assume it is. If you assume its enabled like it is in master, at least one result is "Unable to lookup SELinux process context" spewed into libvirt.log many times a minute on my systems causing the file to grow large, and needless IO.
On my systems that do exhibit this behavior (CentOS 6), I show seLinux as disabled: 

[root@host ~]# sestatus
SELinux status:                 disabled
[root@host ~]#



--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]